General Information
• When operating in a FIPS-approved mode, PKI key/certificates must be between 1024- bits and 4096-bits, inclusive.
• The supported cipher combinations allowed for SSL negotiation are limited to:
○ SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 256 bit AES encryption, and SHA1 HMAC
○ SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 168 bit 3DES encryption, and SHA1 HMAC
○ SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 128 bit AES encryption, and SHA1 HMAC
Each of the above combinations uses RSA key exchange; therefore, RSA based key/certificates must be used.
• In FIPS Mode, the private key must use the PKCS#8 format and PKCS#12 compatible encryption of the private key, which allows the use of the necessary strong encryption algorithm of 3DES encryption and SHA1 hashing.
• Note that traditional PEM encoded encrypted private key files will typically start with the line:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
Procedure
These instructions assume you have downloaded and installed the Windows binary distribution of OpenSSL. Refer to Using OpenSSL for the general instructions
The private key you want to convert must already be an RSA private key and be between 1024 and 4096 bits in length, inclusive. It is only possible to convert the storage format for the private key. Changing the type of key and its length is not possible and requires generation of a new private key.